Question on PREROUTING and INPUT chains

Question on PREROUTING and INPUT chains

[Carlos FaĿanha]

I have a Linux box used as NAT server and firewall. All
requests on its port 80 are forwarded to a local webserver
inside my network. I want to block access to all services
including http from a specific external host.

I'm using the following rule to block the host

iptables -A INPUT -i $extint -s $hostip -j DROP

and this one to do the NAT

iptables -t nat -A PREROUTING -p tcp --dport 80 -d $extip -j
DNAT --to $webserverip:80

The problem is that the host is blocked from accessing all
services but http. I've already checked if there are any
rules before that ACCEPT the request. It seems that prerouted
packets are bypassing the INPUT chain.

Is it correct? If not, what am I doing wrong?

TIA

Carlos Façanha
carlos.facanha@uol.com.br


---
UOL, o melhor da Internet
http://www.uol.com.br/

Re: Question on PREROUTING and INPUT chains

[Robert P. J. Day]

On Mon, 4 Nov 2002, Carlos FaĿanha wrote:

> I have a Linux box used as NAT server and firewall. All 
> requests on its port 80 are forwarded to a local webserver 
> inside my network. I want to block access to all services 
> including http from a specific external host.
> 
> I'm using the following rule to block the host
> 
> iptables -A INPUT -i $extint -s $hostip -j DROP
> 
> and this one to do the NAT
> 
> iptables -t nat -A PREROUTING -p tcp --dport 80 -d $extip -j 
> DNAT --to $webserverip:80
> 
> The problem is that the host is blocked from accessing all 
> services but http. I've already checked if there are any 
> rules before that ACCEPT the request. It seems that prerouted 
> packets are bypassing the INPUT chain.

as i read it, filtering on INPUT is only going to be effective
for those packets that are destined for the local host itself.
setting up nat PREROUTING sends those incoming packets, not to
filter/INPUT, but through the FORWARD chain.

if you want to drop some outside host from getting thru to the
internal webserver, you should add the DROP rule, not to INPUT,
but to FORWARD.

unless, of course, i'm badly mistaken.

rday

Re: Question on PREROUTING and INPUT chains

[Antony Stone]

On Monday 04 November 2002 8:46 pm, Carlos FaĿanha wrote:

> I have a Linux box used as NAT server and firewall. All
> requests on its port 80 are forwarded to a local webserver
> inside my network. I want to block access to all services
> including http from a specific external host.
>
> I'm using the following rule to block the host
>
> iptables -A INPUT -i $extint -s $hostip -j DROP
>
> and this one to do the NAT
>
> iptables -t nat -A PREROUTING -p tcp --dport 80 -d $extip -j
> DNAT --to $webserverip:80
>
> The problem is that the host is blocked from accessing all
> services but http. I've already checked if there are any
> rules before that ACCEPT the request. It seems that prerouted
> packets are bypassing the INPUT chain.
>
> Is it correct? If not, what am I doing wrong?

It is correct that routed packets bypass the INPUT chain.   Only packets 
destined for the firewall machien go through INPUT - packets which are going 
somewhere else go through FORWARD.

Therefore put your blocking rule in the FORWARD chain instead and it should 
do what you want.

Antony.

-- 

If the human brain were so simple that we could understand it,
we'd be so simple that we couldn't.

RE: Question on PREROUTING and INPUT chains

[Brad Morgan]

> I have a Linux box used as NAT server and firewall. All 
> requests on its port 80 are forwarded to a local webserver 
> inside my network. I want to block access to all services 
> including http from a specific external host.

Carlos,

You almost answered your own question.  "All requests on its
port 80 are forwarded".  So the rule to block a specific IP
needs to be in the FORWARD chain, not the INPUT chain.

Regards,

Brad

Re: Question on PREROUTING and INPUT chains

[Simon Kowallik]

[-- Attachment #1: Type: text/plain, Size: 1318 bytes --]

  Antony Stone wrote:

>On Monday 04 November 2002 8:46 pm, Carlos FaĿanha wrote:
>
>  
>
>>I have a Linux box used as NAT server and firewall. All
>>requests on its port 80 are forwarded to a local webserver
>>inside my network. I want to block access to all services
>>including http from a specific external host.
>>
>>I'm using the following rule to block the host
>>
>>iptables -A INPUT -i $extint -s $hostip -j DROP
>>
>>and this one to do the NAT
>>
>>iptables -t nat -A PREROUTING -p tcp --dport 80 -d $extip -j
>>DNAT --to $webserverip:80
>>
>>The problem is that the host is blocked from accessing all
>>services but http. I've already checked if there are any
>>rules before that ACCEPT the request. It seems that prerouted
>>packets are bypassing the INPUT chain.
>>
>>Is it correct? If not, what am I doing wrong?
>>    
>>
>
>It is correct that routed packets bypass the INPUT chain.   Only packets 
>destined for the firewall machien go through INPUT - packets which are going 
>somewhere else go through FORWARD.
>
>Therefore put your blocking rule in the FORWARD chain instead and it should 
>do what you want.
>
>Antony.
>
>  
>
Perhaps this helps to better understand the "flow":
http://offlineprovider.de/site/netfilter/netfilter.php

Regards,
Simon


[-- Attachment #2: Type: text/html, Size: 1708 bytes --]

Re: Question on PREROUTING and INPUT chains

[alex]

On Sat, 2002-11-09 at 14:55, Simon Kowallik wrote:
> Perhaps this helps to better understand the "flow":
> http://offlineprovider.de/site/netfilter/netfilter.php
> 
> Regards,
> Simon

If I'm understanding the diagram correctly that might explain my
problems. Am I to understand that all packets on a NAT'ed connection
never go through the FORWARD chain of filter?

Is there a pointer to a ChangeLog for netfilter behaviour between 2.4.17
and 2.4.18?

-- 
alex <alex@bennee.com>
My own hacking haven

Re: Question on PREROUTING and INPUT chains

[Antony Stone]

On Monday 11 November 2002 11:41 pm, alex wrote:

> On Sat, 2002-11-09 at 14:55, Simon Kowallik wrote:
> > Perhaps this helps to better understand the "flow":
> > http://offlineprovider.de/site/netfilter/netfilter.php
> >
> > Regards,
> > Simon
>
> If I'm understanding the diagram correctly that might explain my
> problems. Am I to understand that all packets on a NAT'ed connection
> never go through the FORWARD chain of filter?

No, that is not correct.

ALL packets which get routed through a netfilter box go through the FORWARD 
filter chain.

Packets coming in to a netfilter box (and either terminating there, or going 
through it to some other destination) go through the PREROUTING nat table.

Packets leaving a netfilter box (whether they came through it from somewhere 
else, or originated on the box) go through the POSTROUTING nat table.

The only thing which normally catches people out is that reply packets which 
are part of a NATted connection do not go through the rules in the nat tables 
- they get "automagically reverse NATted" in the correct way to match the NAT 
of the original packets (to which these are replies), which *was* done by a 
rule in the tables.

Basically what I'm saying is that you only need to specify nat rules for the 
first packet in a connection - you don't need to worry about writing your own 
rule to nat the reply.

Hope this helps.

Antony.

-- 

I vote "no" to this proposal to form a committee to investigate whether we 
should or should not hold a ballot on whether to vote yet.